Companies transferring data out of China for processing should be aware of new guidance
issued on June 26 by China’s National Information Security Standardization Technical
Committee - the Cybersecurity Standards Specification for the Certification of Cross-Border
Processing of Personal Information.
Companies that wish to transfer data outside of China for processing are required by the
Personal Information Protection Law (PIPL) to do so in accordance with provisions of the
law. One basis for lawful transfer certification by a third party. The Specification contains
details about how certification works and what obligations companies must fulfil to obtain it.
It establishes the situations in which the Specification applies, fundamental principles that
form the basis of the certification, basic requirements, and ways to obtain certification.
The Specification is not compulsory but represents one of several ways in which companies
can assure the legal transfer and processing of data across borders. Article 38 of the Personal
Information Protection Law provides five ways to legally process personal
information across borders. In addition to certification, organizations can:
- Meet the criteria of the security assessment provided for in Article 40 of the PIPL.
- Execute a contract, in accordance with the requirements of the CAC, that stipulates
the rights and obligations of the party receiving the data in accordance with the
standard contract formulated by the CAC.
- Meet the criteria of the security assessment required by industry regulators.
- Transfer and process data in accordance with the requirements of applicable
international agreements or treaties.
Data controllers and processors may apply for certification in two circumstances:
- First, when personal information is processed by data processors belonging to the
same multinational company or single economic or business entity. Thus, if a
company’s Chinese subsidiary collects personal data and it is transferred for
processing outside of China but within the company, certification can support the
legal transfer and processing of the data.
- Second, when personal information is processed by data controllers/processors
outside China in accordance with paragraph 2, Article 3 of PIPL. This provides that
certification is appropriate when transfer and processing occurs for purposes of
providing products or services for persons within China; to analyze or evaluate the
behavior of persons in China; or any other circumstance provided by law or
Companies exporting data from China are well-advised to understand their obligations to
establish a basis for processing that is recognized in China law. As noted above, in some
cases companies may rely upon contractual provisions as provided for by the Cyberspace
Administration of China (CAC). Contractual provisions do not meet requirements in every
case, and where they do not, companies must pursue certification. Reliance on contractual
provisions is limited to situations where:
1. The number of individuals whose personal information has been transferred is less
2. The number of individuals whose sensitive personal information whose data has been
transferred is less than 10,000; and
3. The volume of personal information processed by the data pertains to no more than 1
It will be important for companies to understand how much data, and what kind of data, is
being processed and transferred when determining its obligations under Chinese law.
The Specification outlines the basic principles, requirements, and data subject rights as
factors to be considered before issuing the certification.
First, certification is based on basic principles related to lawfulness, transparency, data
integrity, accountability, and equivalent levels of protection.
Second, it establishes basic requirements such as the need for companies receiving data to
appoint a data protection officer and to conduct a data protection impact assessment.
Companies must also establish and abide by contractual obligations with respect to the
information transferred and processed and ensuring data subject rights.
Third, it articulates data subject rights and the steps that data controllers and processor must
take to honor them.
In comparison with the broad language of Article 38 of the PIPL, the Specification
demonstrates a more detailed scheme for certification. Additional points remain to be
clarified by regulators in China. Achieved Compliance will monitor further developments
with respect to the Specification and with China’s requirements for cross border data transfer
and processing generally.
These are complicated and fast changing regulations, and it's important that your business avoids the fines and legal headaches that come with violating them. Please schedule a free consultation with Achieved if you have any questions.
While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.